metamorpherrat | 95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5f

General

Target

95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
Size

78KB
MD5

fb4a198b8f0f9c1e77432abbe4a17c50
SHA1

3c592ae6f00078f3454963af774d9084e3ed0790
SHA256

95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5f
SHA512

6339262c1a74fca76d4a225f239afd2841f622d452ce6e5686d68eaea2e42a1871889473dd3b8b0c8c13424a512deb636ff8bcfb1d00598720b5199554e38d1c
SSDEEP

1536:+sHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt59/l1JP:+sHYn3xSyRxvY3md+dWWZy59/F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2116	tmp692F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp692F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp692F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
Token: SeDebugPrivilege	2116	tmp692F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1844	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	30
PID 2848 wrote to memory of 1844	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	30
PID 2848 wrote to memory of 1844	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	30
PID 2848 wrote to memory of 1844	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	30
PID 1844 wrote to memory of 2916	1844	vbc.exe	32
PID 1844 wrote to memory of 2916	1844	vbc.exe	32
PID 1844 wrote to memory of 2916	1844	vbc.exe	32
PID 1844 wrote to memory of 2916	1844	vbc.exe	32
PID 2848 wrote to memory of 2116	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	33
PID 2848 wrote to memory of 2116	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	33
PID 2848 wrote to memory of 2116	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	33
PID 2848 wrote to memory of 2116	2848	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	33

C:\Users\Admin\AppData\Local\Temp\95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
"C:\Users\Admin\AppData\Local\Temp\95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mdyaci6d.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AC5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AC4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\tmp692F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp692F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6AC5.tmp

Filesize
1KB

MD5
90d7c3f56a79ec87bb77d595e478f6fc

SHA1
d38e40eac04fe7072c255b0a9e4ad19699c1e4ad

SHA256
44a8524b28b751a08f2897a4847574ec82168851d3f2c7bd5027a7a579975fcb

SHA512
0c1452f4f9695598c8c805198c67f59e26dff058ef74d62b7d0a76857f565c59fbf4b9c70d35adc4c82674e211e2beb2381306d60f8098cbcb29d24a431a87e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdyaci6d.0.vb

Filesize
15KB

MD5
c2481a8fed88aed7f917fbbe5fa961d0

SHA1
a500eec0bb5a5c61f2e339398896403396d59f38

SHA256
8595ad6af5a16ba103d53cf5816b83adf188a6e14cc4fafbf9efb6393bd7b8a2

SHA512
080ed729159019824325ff0a42f3c64dc52a6dcc8a8516844e02de0469c751861f46b7e2734b3832b7c04a8754e7201af0a8d9d1fb84ea3b61960791e029ddae

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdyaci6d.cmdline

Filesize
266B

MD5
2b963025c6cea3cc688dfe570fa156f9

SHA1
35516bbc90a3df788b51629014c15b39097cb522

SHA256
356fdae6923c8f365b3b4a31adeb427a96699624f98133f5dbf39f90fe47023c

SHA512
027c383739783f7bd8f95dd5f381f4386cadb6396860ce6d440bf76591579da52732d7fb4d04c6c66ec5d266b32b15f33843c8080717371f07d36f36d5ce5b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp692F.tmp.exe

Filesize
78KB

MD5
0c50ba1b59a7f28daed4203846a698cd

SHA1
3403dca44e798a725b68aa65489697becece4d9e

SHA256
f8c62c5eeec396b9d2914aa702dc891bf8597ae5962389a3e6c6ed35e920bc1c

SHA512
aaf7b0d085c196062596ca70c0903b9b158ff32fc07e963c9365e86cb38cdff63778bf6f5c7322b47ca564950cd8c4fd9d4fcde8a80f75459d69a9f33e599bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6AC4.tmp

Filesize
660B

MD5
31cf816845b8101d73b5d1745df651f4

SHA1
87bb6f14ab4a71c7ec400d520575bd2403ca24bd

SHA256
052564751cf7071ddca28090e4bf7aa975b4b5a27526e690c282b258bf5544a3

SHA512
be644ac3afc17c94504c7898e284067d1e4ec20061b88eecf2ce1693ab579a134e4ef257979df6de67714ec6eabbc864bb7e25ec118958f8c3e636b13a02f116

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1844-8-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1844-18-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-24-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads